FlexVPN Site-to-Site Smart Defaults

Lessons Discussion
1

This topic is to discuss the following lesson:

2

Hello,

Please would you assist to clarify the value that should be on peer command under crypto ikev2 keyring IKEV2_KEYRING.

e,g.:

crypto ikev2 keyring IKEV2_KEYRING
       peer xxxx

what represents the xxxx?

Thanks

3

Hello Byorn

The peer xxxx command is used to define the peer to peer group. It is a word you use to define that group. You can choose whatever you want. In the following lesson, Rene chooses to use “R2” which is the name of the remote router to which he is connecting. Take a look at this lesson which describes FlxeVPN site to site configurations:

I hope this has been helpful!

Laz

1 Like
4

The ikev2profile kind of came out of left field with this:

match identity remote fqdn R2.NWL.LAB

There’s been no mention of dns or a dns server, unless I missed it, no discussion about configuring the ip-domain-lookup functionality. Does Cisco just assume you can put in any fqdn and it just works? Up to this point it’s just been ip addresses…

5

Hello William

You’re right, it is confusing! I believe the source of the confusion comes from the use of the fqdn keyword.

The use of FQDNs in IKEv2 profiles doesn’t require DNS resolution because these FQDN values simply serve as static identifiers rather than actual DNS queries.

The match identity remote fqdn command compares the peer’s declared identity against a preconfigured string. Peers exchange identities during IKEv2 negotiation as raw strings, not IP addresses. This FQDN value simply acts as an authentication fingerprint. Both devices must have matching configurations for local identity (e.g., identity local fqdn R1.NWL.LAB) and remote identity (e.g., match identity remote fqdn R2.NWL.LAB).

The approach is analogous to using pre-shared keys (PSKs) - both ends need identical configurations, but no underlying DNS infrastructure is required. This makes it suitable for static site-to-site VPNs where IP addresses might change but organizational naming remains consistent.

For the command, you can actually input whatever you want! For example you can issue the following command:

match identity remote fqdn helloworld

If the string matches, it will work. There are other options to use such as email, domain, or key ID. See this command reference for more details.

So these values simply serve as labels, but it is useful to have them use meaningful values rather than some dummy value like helloworld that I mentioned before. Does that make sense?

I hope this has been helpful!

Laz

6

Very helpful! Thanks

1 Like